Last active
November 3, 2021 19:54
-
-
Save joydragon/b018555f088b5346c64e285fef098849 to your computer and use it in GitHub Desktop.
Yara de prueba para detectar patrones extraños de campaña de N40/Mekotio en Chile.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule detect_strange_msi { | |
meta: | |
author = "Ricardo Monreal (@joydragon)" | |
description = "Yara de prueba para detectar patrones extraños de campaña de N40/Mekotio en Chile. Actualizada 2021-11-03" | |
strings: | |
// Hex que diga "Fichero", "TGR" o "Arquivo ... cargando" como parte del "Subject" | |
$bytes_1 = { 03 00 00 00 0a 00 00 00 1e 00 00 00 ?? 00 00 00 46 69 63 68 65 72 6f 00 1e } | |
$bytes_2 = { 03 00 00 00 0a 00 00 00 1e 00 00 00 ?? 00 00 00 54 47 52 00 1e } | |
$bytes_3 = { 03 00 00 00 0a 00 00 00 1e 00 00 00 ?? 00 00 00 41 72 71 75 69 76 6f 20 2e 2e 2e 20 63 61 72 67 61 6e 64 6f 00 00 00 00 1e } | |
// Alguno de los lenguajes utilizados | |
$langs_1 = "ProductLanguage1033" | |
$langs_2 = "ProductLanguage3082" | |
// Regex para que sea archivo MSI (magic bytes) | |
$magic = { D0 CF 11 E0 A1 B1 1A E1 00 00 00 } | |
// String de la version de Advanced Installer | |
$string = "Advanced Installer 17.7 build 8a137570" | |
condition: | |
1 of ($bytes_*) and 1 of ($langs_*) and $magic at 0 and $string | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment